Mustacchio

Target IP: 10.10.31.204


Scanning

e98c96b4eb25c5180275ba45d7a52b89.png
There are three TCP ports open on the target machine, as shown above.


Enumeration

Port 80: HTTP
9862f2f29613110b8769f8e3385e995b.png
The webpage above is displayed for this application.

1aac8ea26ddeaa51258ad9b648f7c9da.png
Doing a directory search using the command gobuster dir -u http://10.10.31.204/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the result above. The interesting directory is the /custom.

c65f5c3708f71da1be38c9239b6352d6.png
There is a file called users.bak at /custom/js directory. The content of this file are shown above. I used crackstation to crack this hash, and obtained the password bulldog19. I now have the credential admin:bulldog19.

Port 8765: HTTP

1c4499200d0bb374a676ee774fcbdb48.png
The login page above is displayed for this port. I used the credential I obtained to gain access to this web application.

be6f75b46781f80e9f2463a60254547c.png
After logging in, the webpage above is shown. Reading the source-code gives three key details:

2232c2e3ecb36a7a5f89dd8c6a978bb2.png
I downloaded the dontforget.bak file first, but I can use the format of this XML file to launch XXE attacks.


Exploitation

056d57b5534362d015bda4f7737e451c.png
I created the payload above to match the format required by the application. After sending it, I got the /etc/passwd file! I notice there are two users: barry and joe. From previous enumeration, I should be able to obtain the SSH key of barry.

5b6b1c4acba72685bd70f2775fd3b345.png
And now I have the SSH key of barry using the XXE payload shown below.
Payload used to obtain the SSH key of user barry:
22b7c56717d0aedb953254b6a1b58b03.png

ea4dcf23a7e1063aba5768cf77716cea.png
I copied the SSH key by viewing the source-code of the webpage. I cracked the passphrase of the SSH key using john and obtained the passphrase urieljames, changed the permission of the SSH key to 400, and used this key to access SSH as barry. Now I have a foothold on the machine.


Privilege Escalation

297d7607d2b77838f79fb78e7197b390.png
This is an interesting binary with SUID bit set.

ff96436663b5694dc154930d91b3a5b3.png
Running strings on this binary shows it calls tail without absolute path. Meaning I can create a malicious version of tail.

e9acad8cebc8a969c8d883beca7606f1.png
And now I have a root shell. GG.


Flags

0c0cbba3cc595f1c4dd45ee451350039.png
The user.txt flag once I gained a foothold on the machine using the SSH key.

fb3914d66d9f6634aecce8c49bba5baf.png
The root.txt flag once I used the SUID bit set binary by creating malicious tail that exploits path vulnerability.